Cryptography Reference
In-Depth Information
Another active attack against Elgamal exploits its malleability. If Oscar observes
the ciphertext ( k E , y ), he can replace it by
( k E , sy ) ,
where s is some integer. The receiver would compute
k M
d k pr ( k E , sy )
sy
·
mod p
k M
s ( x
·
k M )
·
mod p
sx mod p
Thus, the decrypted text is also a multiple of s . The situation is exactly the same
as for the attack that exploited the malleability of RSA, which was introduced in
Section 7.7. Oscar is not able to decrypt the ciphertext, but he can manipulated it
in a specific way. For instance, he could double or triple the integer value of the
decryption result by choosing s equal to 2 or 3, respectively. As it was the case
for RSA, schoolbook Elgamal encryption is often not used in practice, but some
padding is introduced to prevent these types of attacks.
8.6 Discussion and Further Reading
Diffie-Hellman Key Exchange and Elgamal Encryption The DHKE was intro-
duced in the landmark paper [58], which also described the concept of public-key
cryptography. Due to the independent discovery of asymmetric cryptography by
Ralph Merkle, Hellman suggested in 2003 that the algorithm should be named
“Diffie-Hellman-Merkle key exchange”. In Chapter 13 of this topic, a more de-
tailed treatment of key exchanges based on the DHKE is provided. The scheme is
standardized in ANSI X9.42 [5] and is used in numerous security protocols such
as TLS. One of the attractive features of DHKE is that it can be generalized to any
cyclic group, not only to the multiplicative group of a prime field that was shown in
this chapter. In practice, the most popular group in addition to
p is the DHKE over
Z
an elliptic curve that is presented in Section 9.3.
The DHKE is a two-party protocol. It can be extended to a group key agreement
in which more than two parties establish a joint Diffie-Hellman key, see, e.g., [38].
The Elgamal encryption as proposed in 1985 by Tahar Elgamal [73] is widely
used. For example, Elgamal is part of the free GNU Privacy Guard (GnuPG),
OpenSSL, Pretty Good Privacy (PGP) and other crypto software. Active attacks
against the Elgamal encryption scheme such as those discussed in Section 8.5.4
have quite strong requirements that have to be fulfilled, which is quite difficult in
reality. There exist schemes which are related to Elgamal but have stronger security
properties. These include, e.g., the Cramer-Shoup System [49] and the DHAES [1]
scheme proposed by Abdalla, Bellare and Rogaway; these are secure against chosen
ciphertext attacks under certain assumptions.
Search WWH ::




Custom Search